DIACAP Team. Comprised of the individuals responsible for implementing the DIACAP for a specific DoD IS. At a minimum the DIACAP Team includes the DAA, the CA, the DoD IS program manager (PM) or system manager (SM), the DoD IS IA manager (IAM), IA officer (IAO), and a user representative (UR) or their representatives. (DoDI 8510.01, E2.25)

Designated Accrediting Authority (DAA). The official with the authority to formally assume responsibility for operating a system at an acceptable level of risk. This term is synonymous with designated approving authority and delegated accrediting authority. (Reference (d) leads with the term designated approving authority, which was favored at the time of publication.). (DoDI 8510.01, E2.19) *DAA is Authorization Officer (2014)

Program Manager or System Manager (PM or SM). For the purpose of this Instruction, the individual with responsibility for and authority to accomplish program or system objectives for development, production, and sustainment to meet the user’s operational needs. (DoDI 8510.01, E2.50)

Certifying Authority (CA). The senior official having the authority and responsibility for the certification of ISs governed by a DoD Component IA program. (DoDI 8510.01, E2.12)

Certifying Authority Representative. An official appointed by and acting on behalf of the CA (DoDI 8510.01, E2.13).

IA Manager (IAM). The individual responsible for the information assurance program of a DoD information system or organization. While the term IAM is favored within the Department of Defense, it may be used interchangeably with the IA title Information Systems Security Manager (ISSM). (DoDI 8500.2, E2.1.27). Requirements: Demonstrate Need to know DoDD 8500.1 para: 4.8, US Citizen 8500.2 para: 5.8.3. must fit DoD 8570 applicable certifications.

IA Officer (IAO). An individual responsible to the IAM for ensuring that the appropriate operational IA posture is maintained for a DoD information system or organization. While the term IAO is favored within the Department of Defense, it may be used interchangeably with other IA titles (e.g., Information Systems Security Officer, Information Systems Security Custodian, Network Security Officer, or Terminal Area Security Officer). (DoDI 8500.2, E2.1.28)

E2.54. Senior Information Assurance Officer (SIAO). The official responsible for directing an organization’s IA program on behalf of the organization’s chief information officer.

The entire DIACAP process has many player involved with give the system a high level of visibility and decentralized responsibility.

Air Force Roles:

The Air Force DAA is AFNETOPS/CC (Gen. Elders, cira 2008). AFCA/CC serves as the DAA Representative (AFPD 33-2, para 5.9.6). The Air Force uses the DAA as the PAA. AFCA/EVSS acts as the Certifying Authority for the Security discipline of the SISSU process. Ref: AF 33-2, AFI 33-210

16 Comments on DIACAP Team

DAA – My DAA is a one star, Your telling me he’s supposed to sit in on the meetings?

PM/SM – This would be the system owner or system POC?

CA – ??? … how would this differ from the DAA?

CAR – ??? is this similar to the role of the ACA?

Answer:
The DAA usually delegates to a lower more tech savvy person. Or at least, that has been my experience. When I was in the AF, our commander (full bird) was the DAA which was pushed down from the Wing Commander. All packages were read and evaluated by an Ops officer (a Capt). If the Ops officer approved then the commander would usually sign off. These days the DAA has been pushed to an even higher level (in the Air Force anyway). This Capt could be seen as the Certifying Authority, because it should be someone who is knowledgeable enough to realize what risks to take and which ones are unacceptable. They will typically have a lot of say in whether the system is acceptable.

I don’t know about the other branches, but the USAF depends completely on the IA Component as the CA which is AFCA.

In the Air Force, the DAA is the AFNETOPS/CC. Stick with DoD 8510.10 and 8500.02.

The IA Component is a great guide for the entire process for the Army its Army NETCOM Information Assurance Office; Navy info can be found here: http://www.doncio.navy.mil

The PM or Program Management Office is critical because they manage the money and sustainment issues on a system. They will have to answer important sustainment questions as well as help coordinate how certain IA Controls will (or won’t – lol) be implemented. The PM works closely with the system owner (and I suppose it can sometime be the system owner). 8510 points out which roles can be one and the same and which ones can not.

Fred Juarez

April 29, 2008 at 11:31 am (7 years ago)

I am a program manager for a manpower tool that does not receive or transmit data. It reads a file and the output is written to a file (much like Excel, Access operrates. Would that be categorized as a system? The tool is an application installed on an individual’s PC,,,

elamb.security

April 29, 2008 at 6:44 pm (7 years ago)

fred,

I don’t have a lot of experience with plain applications.

I would contact the AF Infostructure Technology Reference Model (i-TRM) to determine the appropriate action to take https://infostructure.hq.af.mil — I think that is the link. They are who you want to talk to for applications.

Daniel

AL Hough

January 12, 2010 at 1:42 am (5 years ago)

What requirements apply when considering a DIACAP on a server that will host applications that are on the approved software listing? Does the system require a full DIACAP or can it have an executive package created? The system itself is not going to be an application server in the sense that it will be dedicated to hosting one application. Also, what requirements apply when the server will host user shares and organizational data? For file servers already within and enclave (our servers on on a domain we do not own) does the host hold an responsibility for providing our organization with info regarding Inherited IA Controls?

Hi Rob, thanks for all of your work. I’ve tuned in to your thoughts since 2009 – did you notice that RMF transformation was listed on the DIACAP KS all the way back in 2010?? I see from your http://diarmfs.com/ site that it looks like things are moving closer…

If you know of any slides that are written from contractor / vendor view on DIACAP process, can you turn me on to them? I have a good project plan on tasks / planning from the vendor’s view to *integrate* with the Govt IA functions that I can share.

On my site I have a lot of IA papers and thoughts…take a look when you have some time.

KreativePlace

Mike Grandy

October 28, 2014 at 11:20 am (4 months ago)

Rob, I work in IA, and have worked for both the government (IC) and private enterprise on contract to the Government (CIA, DNI, DISA, NGA) since 1971. I’ve been involved in the transition to the RMF from DCID 6/3 and DIACAP practically since its inception (ca 2006) and would like to join your site, but I can’t get by the “register” tag, which takes me to an invalid site name alert. Can you help me out? I have questions for you. Thanks.